July 15, 2020

Threat Flash Alert: Critical Microsoft Server Windows Vulnerability

Peter Bybee

Critical Microsoft Windows Server Vulnerability

15 July 2020

Executive Summary

Microsoft disclosed a critical vulnerability in Windows Server operating systems that could enable “wormable” exploitation of systems via a weakness in the DNS function. If exploited, the vulnerability can allow a malicious worm to spread quickly from one system to another resulting in multiple infections, including ransomware. It impacts all versions of Microsoft Windows Server from 2003-2019. It does not affect standard Windows end-user operating systems such as Windows 10. The National Vulnerability Database assigned this vulnerability as CVE-2020-1350.

Recommendations

Due to the high likelihood of this vulnerability being exploited we recommend deploying the update immediately – outside of your normal patching cycles.

In lieu of patching (if patching is not currently possible), Microsoft identify a workaround through modifying a Windows registry entry as follows:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters
DWORD = TcpReceivePacketSize
Value = 0xFF00

After which, a restart of the DNS Service is needed. However, this is not the ideal fix.

Microsoft customers who have auto-updating turned on do not need to take action aside from verifying that the update has been installed.

Details

This vulnerability, named SigRed, could allow malicious code (malware, ransomware, worm, etc.) to exploit your servers remotely and to spread quickly from one vulnerable device to another. It exists in the Windows Domain Name System (DNS) server in which they server improperly handles DNS requests. The nature of the vulnerability could allow a computer worm to crawl its way through the internet or across a local network exploiting any server that functions as a Windows DNS server. It does not require any end user to enable the exploitation. While the vulnerability is different in terms of protocol and function, the outcome could be akin to the Wannacry outbreak in 2017.

Impacted systems include all Windows server versions. Non-Microsoft DNS servers are not affected. Here is a list of impacted devices:

Windows Server 2019 (all versions)
Windows Server 2016 (all versions)
Windows Server 2012 (all versions)
Windows Server 2008 (all versions)
Windows Server, version 1903
Windows Server, version 1909
Windows Server, version 2004

It is important to note that as of the time of writing there is no active exploit of this vulnerability that has been observed. However, similar to the EternalBlue vulnerability disclosed in March 2017 and was subsequently exploited by the WannaCry ransomware in May 2017, we can expect that malicious actors are actively working on building an exploit / worm for this vulnerability and will attempt exploitation in the near future.

SOD Actions

At Security On-Demand we are actively monitoring for any indication of this vulnerability being exploited, in particular we are monitoring for any spikes of or unexpected DNS activity, events generated by intrusion detection / preventions systems or anti-virus, and looking for network anomalies.

Security On-Demand has also updated all Windows Servers in our environment to ensure we are not vulnerable and are not putting your data at risk.